By Hassan Sadisu Imam

Introduction

The Central Bank of Nigeria (CBN) issued a circular on May 6, 2024, mandating all banks, mobile money operators, and payment service providers to implement a new cybersecurity levy in accordance with the provisions outlined in the Cybercrime (Prohibition, Prevention, etc) (Amendment) Act 2024. According to the Act, a levy amounting to 0.5 percent of the value of all electronic transactions will be collected and remitted to the National Cybersecurity Fund, overseen by the Office of the National Security Adviser. In today’s interconnected world, cybersecurity is no longer merely a concern for governments and businesses; it is a responsibility shared by individuals, corporations, and governments alike. This underscores the essential nature of the Cybercrime (Prohibition, Prevention, etc.) (Amendment) Act 2024. From safeguarding personal information to protecting critical infrastructure, cybersecurity plays a crucial role in ensuring the stability and security of our digital environment. Businesses have a responsibility to safeguard not only their infrastructure but also their customers’ sensitive data. A security breach can lead to significant financial losses, reputational damage, and legal ramifications.

In 2022, Nigeria joined 66 other countries in signing and ratifying the Budapest Convention on Cybercrime to enhance international cooperation, provide a common platform and procedural tools for a safe and efficient cyberspace, necessitating conformity of Nigerian cybercrime and cybersecurity laws and policies with regional and international standards. Government involvement in cybersecurity is crucial for coordinating national cybersecurity strategies, facilitating information sharing between public and private sectors, and enforcing cybersecurity regulations to ensure compliance. The legislative review by the National Assembly led to the enactment of the Cybercrimes Amendment Act 2024. This article delves into the key provisions and innovations introduced by the Amendment Act, exploring its impact on both Nigerians and the broader cyberspace landscape upon implementation.

 KEY PROVISIONS IN THE AMENDMENT ACT

  1. Implementation of the Cybersecurity Levy

Section 44(2)(a) of the Principal Act established a levy of 0.005 on electronic transactions for businesses listed in the second schedule of the Principal Act. However, compliance with this provision has been lacking due to ambiguity in its wording, particularly concerning the figure 0.005, which does not accurately reflect the draftsmen’s intention of the Act. The new amendment to section 44 (2)(a) now states as follows:

A levy of 0.005 equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule to this Act [1]

It is noted that the current Cybercrime Act 2024 amends the Cybercrimes (Prohibition, Prevention, etc.) Act No. 17, 2015, to correct some consequential words that were inadvertently omitted in the Act, specifically Section 44 of the Principal Act. This clarifies the ambiguity on the levy, thereby explicitly stating it as “a levy of 0.005, equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule to this Act.” Many undefined clauses, phrases, and words, including “0.005,” which were ambiguities in the principal Act, are now resolved in the new law [2]

These provisions on the cybersecurity levy have been in the principal Act since 2015, yet implementation has been hindered due to vagueness in interpretations and applications. The wording of the CBN circular allows for multiple interpretations, including the levy being paid by bank customers, Nigerians, which goes against the letters and spirit of Section 44(2)(a) and the Second Schedule to the Cybercrimes Act, specifying the businesses subject to the levy.

The confusion stems from the provisions of the repealed Cybercrimes (Prohibition, Prevention, etc.) Act, 2015, as well as a 2018 CBN circular that specified the rate as 0.005%. Section 44(2)(a) of the repealed Act noted “a levy of 0.005 of all electronic transactions by the businesses specified in the second schedule of this act,” intended to be credited to the “National Cyber Security Fund.” [3]

The new provision clearly states “a levy of 0.005, equivalent to a half percent of all electronic transactions value” to be made by “the business specified in the Second Schedule to this Act.”

The amended Act not only states the decimal value of the levy (0.005) as in the previous version but also introduces the percentage equivalent of the levy. Thus, section 44(2)(a) of the Amendment Act explicitly states that the levy applies to all electronic transactions valued by the businesses specified in the Second Schedule to this Act. This provision implies that electronic transactions conducted by the specified businesses will be subject to the levy. Conversely, electronic transactions carried out by businesses and individuals not included in the Second Schedule of the Cybercrimes Act are exempt from the levy requirement. If the lawmakers intended for the levy to apply to all electronic transactions conducted by customers of financial institutions, they would have explicitly mentioned so in the statutes and mandated the specified businesses to deduct the levies from eligible customers’ accounts and remit them to the Fund [4]

  1. Inclusion of the Requirement of the National Identification Number (NIN)

The Amendment Act mandates that customers conducting electronic financial transactions at financial institutions must present their National Identification Number (NIN) issued by the National Identity Management Commission (NIMC) for identity verification. This requirement aims to streamline the tracking of defaulters or perpetrators using NIN, which contains individual data, including physical addresses. Nevertheless, concerns exist that the implementation may encounter challenges, as defaulters might potentially create deceptive locations using authentic NINs.[5]

  1. 3. Manipulation of ATM/POS Terminals

The Principal Act focused solely on payment systems involving Automated Teller Machines (ATMs) and Point of Sale (POS) terminals, neglecting numerous other payment technologies widely utilized in Nigeria. With the introduction of the Amendment Act, a broader scope is established, holding individuals responsible for tampering with not only ATMs and POS terminals but also any other means of payment technology. This significant expansion considers the wide array of payment systems in Nigeria, ensuring comprehensive coverage and reducing the potential for fraud associated with non-traditional payment methods.[6]

  1. Reporting of Cyber Threats

In accordance with the Amendment Act, individuals and institutions encountering a cyberattack, intrusion, or disruption are required to promptly report to the National Computer Emergency Response Team (CERT) through their Sectoral CERTs or Security Operations Centers (SOCs) within a strict 72-hour window upon detection. Failure to comply with this mandate carries repercussions, including the suspension of internet access and a substantial mandatory fine of ₦2,000,000 (Two Million Naira) payable to the Nigerian Communications Commission (NCF). This streamlined reporting process to the National CERT is designed to efficiently address cyber threats and safeguard the integrity of the digital realm from potential disruptions.[7]

THE STATUTORY PROVISIONS THAT UNDERGONE SUBSEQUENT AMENDMENTS

Section 17(4) lists transactions excluded from the categories of declaration validated by electronic signatures.

The transactions excluded from the categories of contractual transactions or declarations validated by electronic signatures, unless legally verified in Certified True Copies, include but are not limited to:

– Creation and execution of wills, codicils, and other testamentary documents

– Death certificates

– Birth certificates

– Matters of family law, such as marriage, divorce, adoption, and related issues

– Issuance of court orders, notices, official court documents, like affidavits, pleadings, motions, and other judicial documents

– Any cancellations or terminations of utility services

– Any instruments required for the transportation or handling of dangerous materials, solid or liquid

– Any documents ordering the withdrawal of drugs, chemicals, or other materials based on the items’ safety or expiry concerns by an authorized authority.

This implies that the Certified True Copies of transactions or declarations listed under this subsection, previously excluded, must be submitted before an electronic signature can be accepted in relation to them. [8]

Section 21(1) is amended to require any individual or institution operating a public-private computer system or network to promptly inform the National Computer Emergency Response Team (CERT) Coordination Center through their respective sectoral CERTs or sectoral Security Operations Centers (SOCs) of any attacks, intrusions, or disruptions that might impede the functioning of another computer system or network to enable the National CERT to take necessary measures to address the issues. [9]

The amendment to 21(3) alters the timeline for reporting an incident on a computer system or network to ’72 hours of its detection’ from ‘7 days of its occurrence.

Section 22’s scope is broadened to include individuals involved in public and private organizations as liable for the offense of identity theft and impersonation. Previously, the Principal Act only included persons employed in financial institutions as liable for this offense. [10]

Sections 24(1)(a) and (b), defining the offense of cyberstalking, are amended to include specific criteria, narrowing the scope of materials constituting cyberstalking. This change signifies that some actions previously falling under cyberstalking will no longer be considered as such going forward. [11]

In section 27(2), the range of individuals liable for perpetrating fraud using computer systems or networks is expanded from an employee of ‘a financial institution’ to an employee of ‘any private or public organization.’ [12]

Sections 30(1) and (2) broaden the offenses of manipulating an ATM machine or Point of Sale terminal and connivance to perpetrate fraud using such devices to include ‘any other payment technology means. [13]

The amendment to section 37(1)(a) mandates financial institutions to authenticate the identity of customers using a ‘National Identification Number issued by the National Identity Management Commission and other valid’ documents containing personal information before issuing ATM cards, credit/debit cards, and related electronic devices.

The amendment to section 38(1) on the retention of traffic data and subscriber information records specifies that such records should be retained according to ‘the Nigeria Data Protection Act’. [14]

Section 41(1) is amended to include responsibilities of the Office of the NSA to ensure the establishment of sectoral Computer Emergency Response Teams (CERT) and maintain a National Computer Forensic Laboratory to be utilized by all law enforcement, Security, and Intelligent agencies. [15]

Section 48(4) outlining punitive measures for offenses under the Act has been omitted, including the cancellation of the international passport of a convicted individual and withholding a foreigner’s passport until they complete their sentence or pay any fines levied.[16]

 WHO PAYS THE 0.005% CYBERSECURITY LEVY?

The Central Bank of Nigeria (CBN) has instructed banks operating in the country to levy transactions for cybersecurity purposes, following the Cybercrime (Prohibition, Prevention, etc) (Amendment) Act 2024. As per Section 42(a) of the Cybercrime Act 2024, the entities responsible for remitting the levy include GSM service providers, telecommunications companies, internet service providers, banks and other financial institutions, insurance companies, and the Nigerian Stock Exchange. [17]

CONCLUSION

The Cybercrimes (Amendment) Act of 2024 marks a significant milestone in Nigeria’s fight against cybercrimes. The Act establishes a comprehensive legal, regulatory, and institutional framework that is effective and unified, focusing on the prohibition, prevention, detection, prosecution, and punishment of cybercrimes, as well as safeguarding critical national information infrastructure, promoting cybersecurity, and protecting various digital assets. While the Act specifies the responsibility for the levy, which does not fall on citizens, it has faced considerable criticism from legislators, businesses, and the general public. Considering the challenging economic conditions marked by inflation and escalating costs, it may be prudent to temporarily set aside the law per the House of Representatives’ suggestion for revisions addressing public concerns.

The primary objective of the cybercrime levy is to ensure dedicated funding is available to counter the growing cyber-attack threat. Several nations have introduced similar levies to finance cybersecurity initiatives. Nevertheless, it is crucial to consider a country’s economic context when implementing such measures, taking into account broader fiscal and tax reform goals that support enterprise growth and competitiveness.

REFERENCES

  1. Section 44(2) Cybercrimes (Prohibition, Prevention etc) Amendment Act 2024.
  2. Ibid
  3. Op.cit at page 2

4.Ibid

  1. Duale, Ovia & Alex- Adedipe “The Cybercrimes (Prohibition, Prevention, Etc.) (Amendment) Act 2024 – A Primer on Key Amendments” (www.doa-law.com )
  2. Ibid
  3. Ibid
  4. Section 17(4) Cybercrimes (Prohibition, Prevention etc) Amendment Act 2024.
  5. Section 21(1) of the Act
  6. Section 22 of the Act
  7. Section 24(1) of the Act
  8. Section 27(2) of the Act
  9. Section 30(1&2) of the Act
  10. Section 37 & 38 of the Act
  11. Section 41(1) of the Act
  12. Section 48 of the Act
  13. Section 42 (a) of the Act.

About the Author

Hassan Sadisu Imam is a lawyer at the law firm of Limelight Attorneys LLP in Kaduna. He possesses a strong passion for Constitutional Law and various aspects of Commercial Law.  He has published numerous articles covering a wide range of contemporary legal issues.

He can be reached via; hassanlimanesq@gmail.com

Follow Our WhatsApp Channel ______________________________________________________________________ “Enhance Legal Practice With Authoritative Reports” — Alexander Payne Offers Comprehensive Law Reports, Spanning Over A Century Of Nigerian Jurisprudence

Interested buyers are encouraged to place their orders and enquiries via: 0704 444 4777, 0704 444 4999, 0818 199 9888 Website: www.alexandernigeria.com

______________________________________________________________________ “Bridging Theory And Courtroom Practice” — Hagler Sunny Okorie, Nathaniel Ngozi Ikeocha Unveil ‘Functional’ Tort Law Book For Nigerian Legal System The book, titled The Law of Torts in Nigeria: A Functional Approach, authored by Professor Hagler Sunny Okorie Ph.D and Ikeocha, Nathaniel Ngozi Esq, offers law students, practitioners, and academics a comprehensive guide to understanding and applying tort law in Nigerian courts. Interested buyers can place orders via the following contact numbers: 08028636615, 08037667945, 08032253813, or +234 902 196 2209. _______________________________________________________________________ ARTIFICIAL INTELLIGENCE FOR LAWYERS: A COMPREHENSIVE GUIDE Reimagine your practice with the power of AI “...this is the only Nigerian book I know of on the topic.” — Ohio Books Ltd Authored by Ben Ijeoma Adigwe, Esq., ACIArb (UK), LL.M, Dip. in Artificial Intelligence, Director, Delta State Ministry of Justice, Asaba, Nigeria. Bonus: Get a FREE eBook titled “How to Use the AI in Legalpedia and Law Pavilion” with every purchase.

How to Order: 📞 Call, Text, or WhatsApp: 08034917063 | 07055285878 📧 Email: benadigwe1@gmail.com 🌐 Website: www.benadigwe.com

Ebook Version: Access directly online at: https://selar.com/prv626

________________________________________________________________________ [A MUST HAVE] Evidence Act Demystified With Recent And Contemporary Cases And Materials
“Evidence Act: Complete Annotation” by renowned legal experts Sanni & Etti.
Available now for NGN 40,000 at ASC Publications, 10, Boyle Street, Onikan, Lagos. Beside High Court, TBS. Email publications@ayindesanni.com or WhatsApp +2347056667384. Purchase Link: https://paystack.com/buy/evidence-act-complete-annotation ____________________________________________________